[Acme] question for draft-ietf-acme-authority-token-07#section-4
Daniel Migault <mglt.ietf@gmail.com> Wed, 08 December 2021 18:38 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 706BE3A08D7 for <acme@ietfa.amsl.com>; Wed, 8 Dec 2021 10:38:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PY4eRisp60xs for <acme@ietfa.amsl.com>; Wed, 8 Dec 2021 10:38:42 -0800 (PST)
Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B4ED3A08D2 for <acme@ietf.org>; Wed, 8 Dec 2021 10:38:42 -0800 (PST)
Received: by mail-ua1-x931.google.com with SMTP id i6so6352567uae.6 for <acme@ietf.org>; Wed, 08 Dec 2021 10:38:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=PA0Kv3HK3VLbfb6ufEs1OC4/WRR2qF886l6o8NdotYE=; b=nUaNRdSiYdopBNY79bFP/Yr97YzsS/mNpk5Od0CMilSBCNHYLQAxsvOoDdKsLZT5gv 116LXiqYvsMKPz3FOA541JrOhSjmK5En/tILHRT1/PIybK5CSXSlCCy50YdOr9cT+P/9 FSsYIDfn24Bc+aXhebq7oCu3Ki3ja4Pz5QKx1JXPbMdqP2lfXQSQ5OTF1cmCNLxK4rT0 F/2XUmxutlU8OTCqgDUpHF5s/QXwLboTzVWlQGX/ChBUKt/RGLR1xU2965hP3GHfvZqZ fYLAC1asHZtJWh4RN3uS+FsjdjHYlb8tx6GVu/jfbcaYzuSGQnsLAXTVrpmg6hDtuCNV fAag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PA0Kv3HK3VLbfb6ufEs1OC4/WRR2qF886l6o8NdotYE=; b=yVtNZ9pzkO7cX+0EXMWoYMeNH+Qpl84R4QhT202eBMSWVOC7MxK346kKb43el0tWa6 AVJD3g0rKHUxR+1VVqbeiW/Bh98tWGv4W0//yyzZ22+4mgPczsVew5IsaCsbkUsFxtHq 9pD4rKlrFDfkB2xJfcUy1RqUkzyNnEuzlxffcscFh3bEJgsJ7deiHfrhpDBR/gExQXhK 6VPpuEH7VSXpZIym9MXysXsaJk1x2qmYDyZ8HBRLSuzoOA1UIYOxaARbOgvTBuLZMktC 5PIHznONu62SbfcA7JdrbSkxtHz1njHlXATIHACW1Sby6M9JBYS25XHw3EkR2DpNzzGn iSZQ==
X-Gm-Message-State: AOAM530daLLlFxOuroSkr1yBMGA1p3cmCdpKVcRtbDS4+HcOWyiYRRya +N94Eu6IlIjveXRYBqbpbEJDA4MLt0IcUG1vNHOuseRPv1s=
X-Google-Smtp-Source: ABdhPJy3iXo9R948OaOCEdzlTYyLOkHhA3Fficc0VfiVZ388eywdaNjj+fFstaSzZd8V8hAwCx13Ve/XH5Xnxeh3L1A=
X-Received: by 2002:a05:6102:32cd:: with SMTP id o13mr489539vss.23.1638988720156; Wed, 08 Dec 2021 10:38:40 -0800 (PST)
MIME-Version: 1.0
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 08 Dec 2021 13:38:29 -0500
Message-ID: <CADZyTkkTs7m-CgR2aghjFGO-Ebm-e-7aBqqmhHKD4z=CW6-gfQ@mail.gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="00000000000074ca8905d2a6ccc0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/j9DuRVP3Tq-YzuZuppLG0ECGEbg>
Subject: [Acme] question for draft-ietf-acme-authority-token-07#section-4
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2021 18:38:45 -0000
Hi,
Reading section 4 of authority-token-07 I had a few questions that came to
me.
If I understand it correctly, the type of the JWT is defined by a claim
'atc' as opposed to having a claim tkauth-type set to atc. Defining a
tkauth-type seems to me preferred as to enable the use of the claim 'atc'
in another context, but I am wondering if I am missing anything here.
token authority x5u seems to be defined in RFC7517 which should probably be
mentioned as well here. I am wondering the motivations to restrict the
usage to x5u as well as how x5u and iss should be handled when different
values are provided for x5u and iss.
I have the impression the section describes multiple things:
1. a new type of challenge (token)
2. the format of a (generic) token that the ACME server may interpret
3. a specific token type ( atc )
Having not read [I-D.ietf-acme-authority-token-tnauthlist], it is a bit
difficult to understand what is generic to for the use of tokens and what
is specific to [I-D.ietf-acme-authority-token-tnauthlist]. Typically,
suppose I would like to use a token for other purposes than "TnAuthList", I
would like to understand how to take advantage of the framework and what
changes would be needed. Could you clarify this to me?
I expect the challenges to be proposed by the ACME server as follows:
"challenges": [
{
"type": "http-01",
"url": "https://example.com/acme/chall/prV_B7yEyA4",
"token": "DGyRejmCefe7v4NfDGDKfA"
},
{
"type": "dns-01",
"url": "https://example.com/acme/chall/Rg5dV14Gh1Q",
"token": "DGyRejmCefe7v4NfDGDKfA"
}
]
I can see 'tkauth-01' as being a type, url, the url where the attested
token will be uploaded, but it is not entirely clear to me what the Token
challenge as expressed in 8555 section 8.3, or section 8.4 would be. I am
wondering if you could clarify this to me.
Just to make sure I understand it correctly, once the ACME client picks a
token challenge, it requests the Token Authority to generate a token and
then POST it to the url provided by the challenge object. Am I correct ? I
think a description of the exchange would ease the readability of the
document.
Yours,
Daniel
--
Daniel Migault
Ericsson
- [Acme] question for draft-ietf-acme-authority-tokā¦ Daniel Migault